Hi Guys,

I am trying to learn Phantom app development using an on-prem phantom installation, and have come across really weird behavior with adding data to action_results.

If I have some data I want to add, say:
data = ["abc", "def", "ghi", "jkl"]
it makes sense that I might want to do something like:

for each d in data:
    action_result.add_data(d)

and expect to get an action result with 4 entries... instead what results is that I get an action result with 4 duplicates of the above data, effectively 16 entries:

[["abc", "def", "ghi", "jkl"], ["abc", "def", "ghi", "jkl"], ["abc", "def", "ghi", "jkl"], ["abc", "def", "ghi", "jkl"]]

Maybe this is intended behavior? To me this is weird, but since this is in my own app I just have to find ways to get around it. However, this behaviour also exists in all the other apps such as the splunk app.

If I use the splunk app to make a search against my splunk instance say with the query

index=test | head 6

then I would expect to get 6 results, however since the splunk app is also iterating over the results it recieves and uses the add_data method, the action results end up being 6 duplicate lists of 6 entries, so effectively 36 results. I am unable to parse this in any playbook blocks. If I write JUST custom code blocks then I can extract the desired results but then what is the point of playbooks if I am just writing everything in python code anyway. Also what if I expect my search to return 1000 results? Having the action result grow exponentially means that the action result will be 1,000,000 items which gets ridiculous.

Is this expected behaviour? if so how do I get the results using the GUI playbook editor?

Or is my Phantom instance borked somehow? (I ran the normal installer, haven't made any changes to my instance)